Digitally signing the executable application -

Application Techniques
Packaging an Application for Deployment

Digitally signing the executable application

Prerequisites
Install SignTool
Configure code signing in PowerBuilder

PowerBuilder has integrated code signing directly into the project compilation process. After you specify a code signing tool (such as Microsoft's SignTool) and a digital certificate in the project painter, your application executable (appname.exe) will be signed automatically after it is generated. This section provides detailed instructions for how to prepare the environment (including installing Microsoft's SignTool) and how to configure the project painter to sign the executable.

The instructions are applicable to the native client/server application executable (appname.exe), PowerClient-deployed application executable (appname.exe), and cloud app launcher executable (CloudAppLauncher_Installer.exe).

Note

You can also export these signing options to the build JSON file and automate the process using PBAutoBuild tool (the command-line build tool for PowerBuilder).

Prerequisites

Before setting up code signing in PowerBuilder, ensure the following requirements are met:

You have a valid code signing certificate, provided as one of the following formats:
- PFX file (Personal Information Exchange format)
- Token-based certificate, such as one stored in a USB token, smart card, or EV (Extended Validation) token
- HSM-based certificate, stored and managed within a Hardware Security Module (HSM)
You are using a supported operating system:
- Windows 11 (any version)
- Windows Server 2016 or newer
If you plan to use an EV (Extended Validation) certificate, ensure:
- The EV USB token is inserted into the signing machine.
- The certificate provider's CSP/KSP driver is correctly installed.
You have permission to access the timestamp server, execute the code signing tool, and write to the target directory.

Install SignTool

Before setting up code signing in PowerBuilder, you need to install a code signing tool, such as Microsoft's SignTool.

Download and install the Windows SDK, which includes signtool.exe.
- Minimum required version: 10.0.22621.755
- SDK can be downloaded from the official Microsoft site
Make sure signtool.exe is accessible (usually under C:\Program Files (x86)\windows Kits\10\bin\x64).
(Optional) If your signing workflow integrates with additional tools (e.g., for timestamping or automation), install those as well.

Configure code signing in PowerBuilder

Option 1: Use the SignTool utility from the Windows SDK
Option 2: Use your own signing script

In the project painter > Security page, you can configure signing in two ways.

Option 1: Use the SignTool utility from the Windows SDK

In the project painter > Security page, select "Use the SignTool utility from the Windows SDK" option, and then enter the following depending on your certificate type:

When Certificate Type is PFX file, specify the following
- SignTool location (path to signtool.exe)
- Certificate path (path to .pfx file)
- Certificate password
- Signature algorithm (e.g., SHA256)
- URL of the time stamp server (e.g., http://timestamp.digicert.com)
When Certificate Type is Token-based, specify the following
- SignTool location (path to signtool.exe)
- certificate thumbprint (required if multiple certificates exist)
  
  The certificate thumbprint is the unique identifier of a certificate. You are required to specify the certificate thumbprint only if you have multiple certificates. If there is only one certificate, you may leave the field empty.
- signature algorithm (e.g., SHA256)
- URL of the time stamp server (e.g., http://timestamp.digicert.com)

Option 2: Use your own signing script

You can also write custom scripts to sign the executable using a PFX file, a token-based certificate, or a certificate stored in an HSM (Hardware Security Module).

This option gives you full control over the signing process and supports dynamic parameters (making your script reusable with different inputs).

Create a .cmd file (e.g., sign_app.cmd) and place your signing logic into this file.
In the project painter > Security page, select "Use your own signing script", and then set the script file path to the .cmd file.

If signing with dynamic parameters, you must also pass in the parameter values immediately after the file path of the .cmd file.

Examples

The following examples demonstrate how to use a PFX file and a token-based certificate with both static and dynamic parameters.

To sign with a PFX file,

To sign with a PFX file with static parameters, you may write the following scripts in the .cmd file (using Microsoft’s SignTool for example):
```
signtool.exe sign /f mycert.pfx /p password /d "My application" /du http://www.mytest.com /fd sha256 /tr "http://timestamp.digicert.com" /td sha256 salesdemo.exe
```
And then in the "Use your own signing script" field, input the file path of the cmd file, for example:
```
D:\test\test.cmd
```
To sign with a PFX file with dynamic parameters, you may write the following scripts in the .cmd file:
```
%4 sign /f %5 /p %2 /d "My application" /du test /fd sha256 /tr %3 /td sha256 %1
```
And then in the "Use your own signing script" field, input the file path of the cmd file and the parameter values (using Microsoft’s SignCode for example):
```
"D:\test\sign_app.cmd" "salesdemo.exe" "password" "http://timestamp.digicert.com" "D:\test\signcode.exe" "D:\test\mycert.pfx"
```
In the above example, the parameters are passed as follows:

%1: Application executable file name, for example, "salesdemo.exe"

%2: Certificate password

%3: URL of the timestamp server

%4: Path to the code signing tool

%5: Path to the digital certificate

To sign with a token-based certificate, such as an EV (Extended Validation) code signing certificate,

To sign with a token-based certificate with static parameters, you may write the following scripts in the .cmd file:
```
signcode.exe sign /fd SHA256 /a /sha1 "13731a37233bbd83eeb13e95c7898d1d76a2256c" /tr http://timestamp.digicert.com "salesdemo.exe"
```
And then in the "Use your own signing script" field, input the file path of the cmd file, for example:
```
D:\test\test_token.cmd
```
To sign with a token-based certificate with dynamic parameters, you may write the following scripts in the .cmd file:
```
%1 sign /a /fd sha256 /sha1 %2 /tr %3 /td sha256 %4
```
And then in the "Use your own signing script" field, input the file path of the cmd file and the parameter values (using Microsoft’s SignCode for example):
```
"D:\test\test_token_param.cmd" "D:\test\signcode.exe" "13731a37233bbd83eeb13e95c7898d1d76a2256c" "http://timestamp.digicert.com" "salesdemo.exe"
```
In the above example, the parameters are passed as follows:

%1: Path to the code signing tool

%2: Certificate thumbprint. You are required to specify the certificate thumbprint only if you have multiple certificates.

%3: URL of the timestamp server

%4: Application executable file name

To avoid repeatedly entering the UKey password (for instance the screen is locked or the system is restarted), you can use the "Use your own signing script" option and specify the token password in the signing commands, for example:

To sign with static parameters, you may write the following scripts in the .cmd file (using Microsoft’s SignCode for example):
```
"D:\test_newsign\signcode.exe" sign /fd SHA256 /a /sha1 "13731a37233bbd83eeb13e95c7898d1d76a2256c" /tr http://timestamp.digicert.com /td SHA256  -f "D:\test_newsign\cersign.cer" /csp "eToken Base Cryptographic Provider" /K "[{{a*****}}]=p11#f408f337487afa2d" "echarts.exe"
```
- -f: Specifies the .cer certificate file exported from an EV code signing certificate
- /csp: Specifies the cryptographic service provider (CSP) that contains the private key container
- /K: Specifies the token password and private key container name in this format: "[{{TokenPasswordHere}}]=KeyContainerNameHere"
To sign with dynamic parameters, you may write the following scripts in the .cmd file:
```
%1 sign /a /fd sha256 /sha1 %2 /tr %3 /td sha256 /f %4 /csp %5 /K "[{{%6}}]=%7" %8
```
And then in the "Use your own signing script" field, input the file path of the cmd file and the parameter values (using Microsoft’s SignTool for example):
```
"D:\EV_code_sign\ev_sign_dyn.cmd" "D:\EV_code_sign\signtool.exe" "725c43e53497a2c13e59682a2c4168f3b2016c76" "http://timestamp.digicert.com" "D:\EV_code_sign\EV_Cer\AppeonInc.cer" "eToken Base Cryptographic Provider" "a*****" "p11#e0c9d4175dd7b020" "echarts.exe"
```
To use an EV certificate, please make sure that the signing machine has the EV USB key inserted, and that the certificate CSP/KSP driver is correctly installed.

In the above example, the parameters are passed as follows:

%1: Path to the code signing tool

%2: Certificate thumbprint. You are required to specify the certificate thumbprint only if you have multiple certificates.

%3: URL of the timestamp server

%4: The .cer certificate file exported from an EV code signing certificate

%5: The cryptographic service provider (CSP) that contains the private key container

%6: The token password

%7: The private key container name

%8: Application executable file name

Best practices

For .cmd files with static parameters, both the file name and directory path can contain spaces.
For .cmd files with dynamic parameters, the directory path should not contain spaces, though the file name can.
Use absolute paths to avoid path resolution issues.
Wrap any path with spaces in double quotes.
You can test your script independently in Command Prompt or PowerShell before using it in PowerBuilder.

Prev	Up	Next
Creating an executable version of your application	Home	Delivering your application to end users

Application TechniquesPackaging an Application for Deployment